tag:blogger.com,1999:blog-650001352631255056.post8926091510530001917..comments2023-04-26T16:29:19.087+02:00Comments on System Programming: Hijack Linux System Calls: Part III. System Call TableAlexey Lyashkohttp://www.blogger.com/profile/13663908781307440762noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-650001352631255056.post-62469365518479253472013-11-03T15:49:47.762+03:002013-11-03T15:49:47.762+03:00AFAIK, there is no easy way to add a system call w...AFAIK, there is no easy way to add a system call without recompiling the kernel. That would involve too much kernel patching. So, basically, if it is possible to recompile - do that, otherwise - dig kernel sources for system call related stuff and patch it. <br /><br />P.S. Thanks for the question, it is worth to try myself and write another article ;)Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-17679375674483711352013-11-03T04:48:56.775+03:002013-11-03T04:48:56.775+03:00Hi Alexey,
Thanks to your article I was able to do...Hi Alexey,<br />Thanks to your article I was able to do something. Sorry for my ignorance beforehand but I want to ask a question. <br />I don't want to rebuild the kernel all again so is it possible to implement a new system call with your method? If not at least I am planning to add a new system call which literally does nothing and then intercept it with custom modules. That would still Anonymoushttps://www.blogger.com/profile/06292762072812072806noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-81456833664092003702013-09-20T14:21:56.594+03:002013-09-20T14:21:56.594+03:00Hi Amit,
to put it simple - the kernel knows whet...Hi Amit,<br /><br />to put it simple - the kernel knows whether we are trying to open/read/write/close a file on disc or a device node. In case of device node, the creator of the LKM has to implement all the needed "IO" functionality and populate the file_operations structure with pointers to those implementations. This structure is passed to the kernel upon module loading, so the Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-48066290598952825222013-09-19T18:13:05.314+03:002013-09-19T18:13:05.314+03:00Thanks Alexey for publishing this article.
I woul...Thanks Alexey for publishing this article.<br /><br />I would like to know here how sys_call is interfaced with LKM.AFAIK when we write to a device file say /dev/fpga using write() call in userspace with 3 arguments will be linked to sys_write in kernel space and which furthur is linked to LKM .Now how this linking between sys_write and LKM is maintained??<br /><br />Anonymoushttps://www.blogger.com/profile/10173759355471775521noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-85582506888605806062013-01-18T16:13:43.968+03:002013-01-18T16:13:43.968+03:00Hi Fredrik,
glad you found this useful.
Could y...Hi Fredrik,<br /><br />glad you found this useful. <br /><br />Could you drop me a line to my private email (on the "Contact information" page and we'll go through that.Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-28342545270981264262013-01-18T14:45:45.572+03:002013-01-18T14:45:45.572+03:00Thank you for a great tutorial on this.
I'm t...Thank you for a great tutorial on this.<br /><br />I'm trying to build this for MIPS architecture. It seems that the symbol lookup_address is not available on that arch. I get:<br /><br />error: implicit declaration of function 'lookup_address'<br /><br />... when I try to build. On x86 it works fine. Do you have any idea how to fix this?Fredrik Perssonhttps://www.blogger.com/profile/01662339116073812637noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-17286524555709628262012-07-09T02:08:05.743+03:002012-07-09T02:08:05.743+03:00First of all, sorry for the delay.
These articles...First of all, sorry for the delay.<br /><br />These articles contain all the references needed to make the code run on your system. Besides - these articles are not a tutorial. This is just a demonstration. Read this, use your kernel source and it will run.Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-52026821786781754272012-06-14T07:20:38.849+03:002012-06-14T07:20:38.849+03:00Thanks for sharing. I went through all your three ...Thanks for sharing. I went through all your three tutorials in this serie, but my source code wont compile base on those articles, multiple errors appeared. I am a newbie in linux kernel module programming. I just want to know if you can provide the single workable source code that can intercept sys_open() in the kernel above 2.6.38. for example ubuntu 12.04-kernel 3.2.0. Thank you very much.Rui Hanhttps://www.blogger.com/profile/12285411312083033918noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-61485448452284600962012-06-14T06:41:23.324+03:002012-06-14T06:41:23.324+03:00This comment has been removed by the author.Rui Hanhttps://www.blogger.com/profile/12285411312083033918noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-58864810051012728042012-06-13T16:38:19.115+03:002012-06-13T16:38:19.115+03:00No problem. There was no inconvenience. But I cann...No problem. There was no inconvenience. But I cannot delete your posts. Since you are anonymous, I cannot tell whether those posts are truly yours or not. So, I will leave them here.Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-51163403991615620352012-06-13T16:29:09.407+03:002012-06-13T16:29:09.407+03:00Honestly, I am sorry about inconvinience.
Please, ...Honestly, I am sorry about inconvinience.<br />Please, delete my posts.<br />As an answer: First posting I was talking about kernel module development as you.<br />(You did not complain)<br />The second post was only because of "feeling of resposibility".<br />I was giving information which is wroing nowadays. If somebody tries my<br />code .................sorry.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-1917967189000885822012-05-30T13:42:55.559+03:002012-05-30T13:42:55.559+03:00Honestly, I do not understand how your code is rel...Honestly, I do not understand how your code is related to this article?Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-47083112129230696082012-05-30T09:24:01.281+03:002012-05-30T09:24:01.281+03:00Must update previous. I installed Ubuntu 12.04 wit...Must update previous. I installed Ubuntu 12.04 with kernel 3.2.0.23.<br /><br />The program:<br /><br />int main(int argc,char *argv[])<br />{<br />setuid(0);/* Now you got su rights, if LKM loader!)*/<br />system("/bin/bash"); <br />}<br /><br />don't work anymore!(I mean EXACTLY as above).<br />Somebody reading this- or otherwise?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-79809397793837629072012-04-12T11:59:28.746+03:002012-04-12T11:59:28.746+03:00This "not exporting symbols" is very ann...This "not exporting symbols" is very annoying to me.<br />Linux is supposed to be "free", so why not to give symbols.<br />Am I right, that it is something to do with "security"?<br />But if module is running with all privileges, security is not possible!<br />Anyway, I did a small demonstration showing that this policy do not help.<br /><br />I did a LKM which Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-78451091157168541242012-04-04T19:18:58.549+03:002012-04-04T19:18:58.549+03:00I know what you mean by all this. It has become a ...I know what you mean by all this. It has become a problem since the first time sys_call_table was not exported.<br /><br />What you can do, instead of recompiling your code with each new kernel version (or each time you recompile your kernel), is to add support for write operation on the device file - this way you can write the address obtained from System.map (which you can obtain automatically Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-63137249130058172762012-04-04T12:15:04.883+03:002012-04-04T12:15:04.883+03:00To be more specific: to seek whole memory as "...To be more specific: to seek whole memory as "ptr[__NR_close] == (unsigned long) sys_close".<br />If sys_close is not exported any more?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-16720923183677988112012-04-04T12:03:08.466+03:002012-04-04T12:03:08.466+03:00Thanks Alexey- great job you do!
Then follows som...Thanks Alexey- great job you do!<br /><br />Then follows some questions:<br />sys_call_table address is not any more exported with new kernels. I use 3.2.0. You can get address for ex. as "sudo grep sys_call_table /boot/System.map-3.2.0" But what about the future? Map is changed?<br />Brute force method works with __NR_... seeking whole memory. But what then when __NR_... is not Anonymousnoreply@blogger.com